Bad OpSec led to the downfall of teenage DDoS-for-hire group leader

A UK teenager and leader of a DDoS-for-hire group pleaded guilty to three counts of making fake bomb threats that affected thousands of students and resulted in the grounding of a United Airlines flight.

Thinkstock

Bad OpSec has led to the downfall of many, including braggarts in DDoS-for-hire groups. Both security journalist Brian Krebs and ProtonMail aided law enforcement, which resulted in the arrest of a teenager who was the head of a hacking crew.

Last week, the U.K. National Crime Agency arrested George Duke-Cohan, leader of the DDoS-launching hacking group Apophis Squad. Duke-Cohan was known online as “optcz1,” “7R1D3N7” and “DoubleParallax.” The 19-year-old pleaded guilty to three counts of making false bomb threats that caused the evacuation of 400 schools and the grounding of a United Airlines flight.

Apophis Squad, which security journalist Brian Krebs said tried to match the actions of Lizard Squad, spent a good part of 2018 launching DDoS attacks against numerous sites, including Krebs on Security and ProtonMail — even though the group’s members were ProtonMail users.

Feds cant touch us. NCA cant touch us. KEK we the big bois running around the internet with our 1337 bootnet! Come catch us we are untouchable! Living on TOR nodes and Open DNS. Smoking that good stuff with our bois at radware.

Andy Yen, the founder of ProtonMail, pointed at that tweet after explaining:

Our security team began to investigate Apophis Squad almost immediately after the first attacks were launched. In this endeavor, we were assisted by a number of cybersecurity professionals who are also ProtonMail users. It turns out that despite claims by Apophis Squad that federal authorities would never be able to find them, they themselves did not practice very good operational security. In fact, some of their own servers were breached and exposed online.

By sifting through the clues, we soon discovered that some members of Apophis Squad were in fact ProtonMail users. This was soon confirmed by a number of law enforcement agencies that reached out to us. It seemed that in addition to attacking ProtonMail, Duke-Cohan and his accomplices were engaged in attacking government agencies in a number of countries. Predictably, this triggered law enforcement agencies to make MLAT requests asking us to render assistance to the extent that is possible given ProtonMail’s encryption.

After some social engineering that led to the grounding of United Airlines Flight 949, the group bragged about grounding the plane.

When announcing that Duke-Cohan pleaded guilty to the bomb threats, the National Crime Agency wrote, “In a recording of one of the phone calls which was made while the plane was in the air, he takes on the persona of a worried father and claims his daughter contacted him from the flight to say it had been hijacked by gunmen, one of whom had a bomb.”

The NCA said, “On arrival in San Francisco the plane was the subject of a significant security operation in a quarantined area of the airport. All 295 passengers had to remain on board causing disruption to onward journeys and financial loss to the airline.”

The NCA went on to say Duke-Cohan “carried out these threats hidden behind a computer screen for his own enjoyment, with no consideration for the effect he was having on others. Despite being arrested and having conditions imposed restricting his use of technology, he persistently broke those conditions to continue his wave of violent threats.”

“This investigation proves that operating online does not offer offenders anonymity,” NCA wrote. “We will identify you and you will be brought before the courts.”

Further charges agains Duke-Cohan pending

ProtonMail believes “further charges are pending, along with possible extradition to the U.S.” The company said it identified others who have been attacking ProtonMail and have been “working with the appropriate authorities to bring them to justice.”

Our mission is to bring privacy, security, and freedom of information to citizens around the world. However, this does not extend to protecting individuals who are engaged in criminal activities. That’s why we will investigate to the fullest extent possible anyone who attacks ProtonMail or uses our platform for crime. We will also cooperate with law enforcement agencies within the framework of Swiss law.